[Pkg-samba-maint] [Announce] Samba 4.11.2, 4.10.10 and 4.9.15 Security Releases Available

Mathieu Parent math.parent at gmail.com
Tue Oct 29 16:43:04 GMT 2019


Hello,

I've just uploaded 2:4.11.1+dfsg-2 to sid, fixing CVE-2019-10218 and
CVE-2019-14833 (not affected by CVE-2019-14847).

I've prepared the following:

samba (2:4.9.5+dfsg-5+deb10u2) buster-security; urgency=high

  * New security release
    - CVE-2019-10218: Malicious servers can cause Samba client code to return
      filenames containing path separators to calling code.
    - CVE-2019-14833: When the password contains multi-byte (non-ASCII)
      characters, the check password script does not receive the full password
      string.
    - CVE-2019-14847: Users with the "get changes" extended access right can
      crash the AD DC LDAP server by requesting an attribute using the range=
      syntax.
      Samba 4.9 is impacted if -M prefork or -M single is used. To mitigate this
      issue, select -M standard (the default).

 -- Mathieu Parent <sathieu at debian.org>  Mon, 21 Oct 2019 15:21:02 +0200

Should I upload to security-master-unembargoed?

Regards

Mathieu Parent

Le mar. 29 oct. 2019 à 10:47, Karolin Seeger via samba-announce
<samba-announce at lists.samba.org> a écrit :
>
> Release Announcements
> ---------------------
>
> These are security releases in order to address the following defects:
>
> o CVE-2019-10218: Client code can return filenames containing path separators.
> o CVE-2019-14833: Samba AD DC check password script does not receive the full
>                   password.
> o CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server
>                   via dirsync.
>
> =======
> Details
> =======
>
> o  CVE-2019-10218:
>    Malicious servers can cause Samba client code to return filenames containing
>    path separators to calling code.
>
> o  CVE-2019-14833:
>    When the password contains multi-byte (non-ASCII) characters, the check
>    password script does not receive the full password string.
>
> o  CVE-2019-14847:
>    Users with the "get changes" extended access right can crash the AD DC LDAP
>    server by requesting an attribute using the range= syntax.
>
> For more details and workarounds, please refer to the security advisories.
>
>
> Changes:
> --------
>
> o  Jeremy Allison <jra at samba.org>
>    * BUG 14071: CVE-2019-10218 - s3: libsmb: Protect SMB1 and SMB2 client code
>      from evil server returned names.
>
> o  Andrew Bartlett <abartlet at samba.org>
>    * BUG 12438: CVE-2019-14833: Use utf8 characters in the unacceptable
>      password.
>    * BUG 14040: CVE-2019-14847 dsdb: Correct behaviour of ranged_results when
>      combined with dirsync.
>
> o  Björn Baumbach <bb at sernet.de>
>    * BUG 12438: CVE-2019-14833 dsdb: Send full password to check password
>      script.
>
>
> #######################################
> Reporting bugs & Development Discussion
> #######################################
>
> Please discuss this release on the samba-technical mailing list or by
> joining the #samba-technical IRC channel on irc.freenode.net.
>
> If you do report problems then please try to send high quality
> feedback. If you don't provide vital information to help us track down
> the problem then you will probably be ignored.  All bug reports should
> be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
> database (https://bugzilla.samba.org/).
>
>
> ======================================================================
> == Our Code, Our Bugs, Our Responsibility.
> == The Samba Team
> ======================================================================
>
>
>
> ================
> Download Details
> ================
>
> The uncompressed tarballs and patch files have been signed
> using GnuPG (ID 6F33915B6568B7EA).  The source code can be downloaded
> from:
>
>         https://download.samba.org/pub/samba/stable/
>
> The release notes are available online at:
>
>         https://www.samba.org/samba/history/samba-4.11.2.html
>         https://www.samba.org/samba/history/samba-4.10.10.html
>         https://www.samba.org/samba/history/samba-4.9.15.html
>
> Our Code, Our Bugs, Our Responsibility.
> (https://bugzilla.samba.org/)
>
>                         --Enjoy
>                         The Samba Team



-- 
Mathieu



More information about the Pkg-samba-maint mailing list